aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server/eap_server_pax.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-09-07 14:10:33 (GMT)
committerJouni Malinen <j@w1.fi>2014-09-07 14:10:33 (GMT)
commit6473e80ea49d396ad07b5780af421a7600b58655 (patch)
tree14bd666905017b33b308d5995b9b8334183985d9 /src/eap_server/eap_server_pax.c
parent6a6566c7af2d9aa5730b49f6e2b80783c4442274 (diff)
downloadhostap-6473e80ea49d396ad07b5780af421a7600b58655.zip
hostap-6473e80ea49d396ad07b5780af421a7600b58655.tar.gz
hostap-6473e80ea49d396ad07b5780af421a7600b58655.tar.bz2
EAP-PAX server: Add explicit CID length limit
Instead of using implicit limit based on 16-bit unsigned integer having a maximum value of 65535, limit the maximum length of a CID explicitly to 1500 bytes. This will hopefully help in reducing false warnings from static analyzers (CID 72712). Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server/eap_server_pax.c')
-rw-r--r--src/eap_server/eap_server_pax.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/src/eap_server/eap_server_pax.c b/src/eap_server/eap_server_pax.c
index c87848c..d9d4375 100644
--- a/src/eap_server/eap_server_pax.c
+++ b/src/eap_server/eap_server_pax.c
@@ -287,7 +287,7 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
struct eap_pax_hdr *resp;
u8 mac[EAP_PAX_MAC_LEN], icvbuf[EAP_PAX_ICV_LEN];
const u8 *pos;
- size_t len, left;
+ size_t len, left, cid_len;
int i;
if (data->state != PAX_STD_1)
@@ -320,7 +320,12 @@ static void eap_pax_process_std_2(struct eap_sm *sm,
wpa_printf(MSG_INFO, "EAP-PAX: Too short PAX_STD-2 (CID)");
return;
}
- data->cid_len = WPA_GET_BE16(pos);
+ cid_len = WPA_GET_BE16(pos);
+ if (cid_len > 1500) {
+ wpa_printf(MSG_INFO, "EAP-PAX: Too long CID");
+ return;
+ }
+ data->cid_len = cid_len;
os_free(data->cid);
data->cid = os_malloc(data->cid_len);
if (data->cid == NULL) {